[OPENAM-4550] document how to build and use a custom SAML IdP/SP Attribute Mapper Created: 26/Sep/14  Updated: 23/Sep/20

Status: Open
Project: OpenAM
Component/s: documentation
Affects Version/s: 10.0.0, 10.0.1, 10.1.0-Xpress, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 12.0.0
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Bernhard Thalmayr Assignee: Unassigned
Resolution: Unresolved Votes: 0
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
is duplicated by OPENAM-6886 Administration Guide should document ... Resolved
Support Ticket IDs:


OpenAM allows to use a custom IdP or SP Attribute Mapper by implementing interface http://docs.forgerock.org/en/openam/11.0.0/apidocs/com/sun/identity/saml2/plugins/IDPAttributeMapper.html resp. http://docs.forgerock.org/en/openam/11.0.0/apidocs/com/sun/identity/saml2/plugins/SPAttributeMapper.html and configure it as Attribute Mapper instead of com.sun.identity.saml2.plugins.DefaultSPAttributeMapper, com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper

Comment by Chris Lee [ 03/Feb/15 ]

Have asked Andy Hall for feedback on this, and the related issues. If additional documentation is required, we could perhaps take inspiration from: http://docs.oracle.com/cd/E19681-01/820-3748/ggiei/index.html

In particular: If implementing a custom attribute mapper, change the value of the provider's Attribute Mapper property using the OpenSSO Enterprise console.

Comment by Chris Lee [ 10/Feb/15 ]

Andy has said there may be some development effort in the area of SAML for OpenAM13, and perhaps this documentation effort could be delayed to coincide with that.

Comment by David Goldsmith [ 18/Sep/15 ]

Comment from user aivo.kalu (originally submitted as DOCS-347):

The manual section http://openam.forgerock.org/doc/bootstrap/admin-guide/index.html#sp-assertion-processing should mention that one can also use the session attributes to include in the SAML assertion.

The corresponding code seems to be in the class 'DefaultLibraryIDPAttributeMapper'

if (localAttributeValues == null)

{ localAttributeValues = SessionManager. getProvider().getProperty(session, localAttribute); }

and it works fine, however, it seems to be undocumented. The closes hint I found from the REST STS section (http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/webhelp/dev-guide/rest-sts-mapping.html), which says that "which looks at profile attributes in the data stores or in the session properties for each published REST STS instance.", but this is entirely different service, I suppose. And it doesn't have any examples neither.

Generated at Sun Sep 27 23:24:05 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.